Description
The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-01-17
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross–Site Scripting (XSS)
Action: Immediate Patch
AI Analysis

Impact

The Team Section Block plugin for WordPress contains a stored cross‑site scripting flaw in all releases up to and including 2.0.0. Unsanitized social network link URLs are stored and later rendered without proper escaping, enabling a contributor or higher logged‑in user to inject arbitrary JavaScript into the page. An attacker can then execute code in the browsers of anyone viewing the affected page, potentially hijacking sessions, defacing content, or delivering phishing content. The weakness is a classic input validation error identified as CWE‑79.

Affected Systems

Any WordPress site that has installed the Team Section Block – Showcase Team Members with Layout Options plugin and is running version 2.0.0 or older. No other products or versions are listed as affected.

Risk and Exploitability

The vulnerability has a CVSS score of 6.4, indicating moderate severity, and an EPSS score of less than 1 %, meaning exploitation is currently considered unlikely. It is not listed in the CISA KEV catalog. Attackers must be authenticated with Contributor level or higher, which is the minimum capability required to edit the block and insert malicious URLs. Once injected, the payload executes for any viewer of the page, giving the attacker the ability to perform a range of malicious actions in the context of the victim site.

Generated by OpenCVE AI on April 16, 2026 at 18:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Team Section Block plugin to version 2.0.1 or later
  • Immediately remove any malicious URLs stored in the team blocks or replace the block content with sanitized inputs
  • Restrict Contributor‑level roles or audit existing contributors to ensure only trusted users have edit permissions for the plugin blocks

Generated by OpenCVE AI on April 16, 2026 at 18:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 21 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 19 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 17 Jan 2026 07:00:00 +0000

Type Values Removed Values Added
Description The Team Section Block plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's block in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping on user-supplied social network link URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Team Section Block <= 2.0.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Social Network Link
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:57:17.071Z

Reserved: 2026-01-09T21:31:12.462Z

Link: CVE-2026-0833

cve-icon Vulnrichment

Updated: 2026-01-21T16:07:04.759Z

cve-icon NVD

Status : Deferred

Published: 2026-01-17T07:16:02.300

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-0833

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T18:15:43Z

Weaknesses